A class action lawsuit has been filed against Wiley Rein LLP in the US District Court for the District of Columbia, accusing the Washington-based law firm of failing to protect sensitive personal data that was allegedly exposed in a cyberattack linked to actors “affiliated with the Chinese government.”
The complaint, filed by Florida resident Derrick Burkett on behalf of a proposed nationwide class, alleges hackers had access to the firm’s Microsoft 365 email systems between July 2024 and March 2025, with the intrusion only being discovered on June 13, 2025.
“The Breach occurred between July 22, 2024, to March 18, 2025, but was not discovered until June 13, 2025,” the petition said. Further added, “In other words, cybercriminals had unfettered access to Defendant’s systems for a staggering eight months and were not discovered by Defendant until almost a year later.”
According to the suit, compromised information may include names, addresses, dates of birth, financial account numbers, medical information, and Social Security numbers. Plaintiffs allege that many affected individuals had “no relationship” with the law firm and never consented to the storage of their information.
The complaint further claims that the law firm waited nearly nine months after discovering the breach before notifying impacted individuals in March 2026.
“Defendant took nine months before informing Class Members even though Plaintiff and thousands of Class Members had their most sensitive personal information accessed, exfiltrated, and stolen, causing them to suffer ascertainable losses in the form of the loss of the benefit of their bargain and the value of their time reasonably incurred to remedy or mitigate the effects of the attack,” the petition said.
The filing alleges the breach stemmed from inadequate cybersecurity practices, including a failure to implement industry-standard protections such as multi-factor authentication and proper employee training.
Plaintiffs argue the firm violated both federal standards and accepted cybersecurity frameworks, including FTC guidance and the NIST Cybersecurity Framework 2.0.
The suit also claims one plaintiff experienced at least 19 allegedly fraudulent charges on a MetLife account shortly after the breach notification, suggesting potential misuse of stolen data.
The plaintiffs are seeking class-action certification, monetary damages, injunctive relief, and court-ordered cybersecurity reforms.
